Call us Today +44 (0)1536 711 999

Marval logo

Why is the adoption of service and information security management standards way ahead of the pack in Asia, with the UK and USA having a much lower adoption rate?

In this article I will be exploring some of the reasons for this adoption disparity I will also be posing many questions of which unfortunately I don’t have all the answers!

I have been reviewing the adoption and exploitation of International standards in the UK, specifically ISO/IEC 20000-1 for IT Service Management (ITSM) and ISO 27001 for Information security.

Demonstrable & auditable compliance to an accepted standard is a professional & proven approach. Reliance on ‘standards’ is everywhere including:

  • Accounting
  • Electrical appliances
  • Finance & manufacturing industries
  • Software design

The challenge of exploiting standards for ITSM remains:

  • Ensuring a standardised approach to delivering service
  • Addressing the ever-increasing issue of information security
  • Being ever more reliant on information technology
  • The increasing dependency on multiple suppliers - Gone are the days of an organisation depending on a single source supplier for all their services, support, software, and hardware
  • Organisations are looking for a robust Governance, Risk & Compliance (GRC) program that will enable them to manage compliance with regulations and internal policies

What is the gold standard for managing your service and support infrastructure?

The gold standard for ITSM is ISO/IEC 20000. Unfortunately, too many people see this more as a ‘control framework’ rather than a framework for efficiency and effectiveness. The objectives are clear:

  • To deliver consistent, standardised, efficient and reliable services to the business
  • To manage costs, reduce risk and increase the organisational value, while continually improving services and ensuring that the investment in service and support is being fully leveraged


Good practice vs ISO/IEC 20000

I often get asked the question “what is the difference between the various good practices and ISO/IEC 20000”. Here is a summary of what I regard as the key differences.

  • Good Practice DOES NOT STATE WHAT YOU MUST DO but gives many suggestions on how to approach service management – ISO/IEC 20000 states what must be done, and each organization decides how to do it
  • Good Practice DOES NOT insist on evidence to prove quality and progress - ISO/IEC 20000 does
  • Good Practice DOES NOT insist on evidence of continual improvement - ISO/IEC 20000 does 
  • Good Practice usage and quality CANNOT BE EXTERNALLY AUDITED or benchmarked - ISO/IEC 20000 can
  • Good Practice is intangible and HARDER TO SELL TO THE BUSINESS – ISO/IEC 20000 is tangible

After reviewing the number of organisations that received accredited certifications in 2018 by country and business sector, I was somewhat surprised with the results.


In summary

Service Management (ISO/IEC 20000-1) certifications in Asia are in the thousands, whereas in the UK and the USA, they are in the hundreds.
In the area of Information security standards (ISO 27001), China, India and Japan are way ahead of the pack, with the UK and USA again having much lower numbers.

I believe the reasons these specific standards are more prevalent in the top 3 countries, are:

India - because of the large amount of outsourcing to India, service providers need to show that they are good at delivery of services and information security.

China - there can be some mistrust of Chinese goods and services around the world, so they need to show to their customers that they can be confident to buy Chinese.

Japan – there is a good fit with the use of processes and working to standards to achieve the high levels of achievement that are expected by every aspect of their culture.

“All these points feel like the UK many years ago”

It is ironic that the international Service Management standard ISO/IEC 20000 (formally British Standard BS15000), the ITIL good practice framework and the Information Security standard ISO 27001 (formally British Standard BS7799) ALL originated from the UK.

So, I pose the question “Why are the world’s fastest growing economies embracing these standards and we in the UK and the USA are NOT?”


Here’s a paradox

While the adoption of ISO 27001 (the International security standard) continues to grow exponentially in the UK and worldwide, we have witnessed a poor uptake of companies adopting ISO/IEC 20000 in the UK compared to the rest of the world. Yet both standards complement and support each other.

I believe that ISO 27001, due to the high profile of security breaches, scams and frauds, has a high business price, with its adoption being mandated by the business at a senior level.  Whereas ISO/IEC 20000 has had a more limited profile as many of the major IT failures have been due to organisations own staff with failures in their infrastructure management and change control.

Some concerns and observations I have identified, when discussing with organisations why they believe the adoption of ISO/IEC 20000 will not help are:

  • A misplaced belief that adopting standards is difficult, time consuming, expensive and not needed, since everything within the service department is working well and no improvements are required.
  • The Service or IT department is focused on embracing technology alone to improve their service and value to the business. Certainly, at the moment a great deal of energy is spent on digital transformation, AI and machine learning trends when the basics of service quality and improvements and understanding business requirements have not yet been tackled. 
  • A belief that it would be simpler to change suppliers, tools or jump to the next “flavour of the month or framework” if things aren’t working out
  • A reluctance for suppliers to demonstrate what a great job they do and more importantly are not prepared to be externally audited to prove or evidence this.
  • A limited understanding and involvement with the business about what they regard as value, the required outcomes and priorities.
  • I find these concerns and observations totally lacking in substance and reasoning, since in most cases the adoption of standards and structured ways of working are the reasons for the efficient running of business and support services.
  • Instead of alignment we need to think of the relationship in terms of convergence. IT does not just support the business but in fact, it enables and transforms the business. With true convergence, we want a strategic partnership with the business. The relationship between the business and IT is critical to the success of the organisation.

But all service providers understand the goal and benefits of service management:

To deliver consistent, standardised, efficient and reliable services to the business, manage to manage costs, reduce risk and increase the organisational value, while continually improving services and ensuring that the investment in service and support is being fully leveraged.



One reason why the adoption of ITSM standards and not simply good practices like ITIL has not been achieved (or simply embraced) is that you are first required to take a long, hard look at the way you do things, your culture, your processes and procedures. Be honest about your strengths and weaknesses, make some hard decisions, then make improvements, evidence and compare your performance against a worldwide standard, and finally be audited to prove your adherence to it (e.g. “If you can’t prove it - you don’t do it”).

The adoption of ISO/IEC 20000 combined with ISO 27001 can be used and exploited in any area of the business requiring high quality service delivery combined with information security. Once firmly embedded into the culture and psyche of every member of staff and the business culture, the use of the standards become business as usual. ISO/IEC 20000 is a superb tool set for your organisation to demonstrate what a great job your Service departments do, and importantly, highlights their on-going contribution to the success of the business as a whole and ensure organisational confidence and value in you as a service provider.

You need to adopt ISO/IEC 20000 but remember – if you don’t deliver a first-class service; someone else will


Dr. Don Page, Strategic Director of Service Management , Marval

Contact Us View all Articles

Similar Articles

Endless possibilities with Marval...

Whatever your aspirations might be, we have the technology, the expertise and the people to make them happen.

We know you may have some questions...

I would like to opt in to receive marketing communications from Marval via:

  • Request a

    Discover the benefits of implementing MSM software, designed to improve service quality, customer satisfaction and reduce costs

  • Download

    Your central repository of interesting and useful information on IT Service Management

  • Customer
    Case Studies

    See how organisations all over the world use Marval MSM software to address their most critical IT Service Management challenges

  • Contact

    Contact us to discuss your service improvement requirements